IPv6 Security Challenges: Experts Offer Advice for Organizations Planning to Deploy IPv6, Starting with Ensuring Visibility and Control.
World IPv6 Launch day is scheduled for June 6 with the goal of bringing major Internet Service Providers (ISPs) and Web companies together to jumpstart widespread adoption of IPv6. But from a security standpoint, companies should follow an old saying: look before you leap.
One of the main challenges for organizations is to maintain the visibility and control over their IPv6 traffic that they have had over IPv4 traffic.
"The first requirement for security is visibility," said Dr. Scott Iekel-Johnson, product manager at Arbor Networks. "You can't protect yourself against traffic that you can't see. And unfortunately, in some cases at least, in their rush to roll out IPv6 support some vendors have opted to leave out visibility features that they have long supported for IPv4. Enterprises moving to IPv6 should make sure that their equipment supports all of the visibility features for IPv6 beyond just the basic ability to forward and process IPv6 packets."
That may mean organizations have to revamp their network, advised Stonesoft, upgrading outmoded or outdated features.
"A lot of people think there isn’t much difference between securing IPv6 traffic and IPv4 – and that’s not true," said Richard Benigno, vice president at Stonesoft, in a statement. "This misperception is compounded by the fact that organizations aren’t sure what needs to be done when, and that vendors are making false claims about how well their products perform in an IPv6-ready network."
As IPv6 migration from IPv4 increases, more and more Internet traffic will be carried via tunnels, which enable IPv6 hosts and routers to connect with other IPv6 devices over the IPv4 Internet. According to Stonesoft, The National Institute of Standards and Technology’s “Guidelines for the Secure Deployment of IPv6” recommends companies inspect every single shard of tunnel traffic before permitting it to either enters or exits their systems. This inspection consists of reviewing all IPv6 traffic, including those within the IPv4 packets, with the same scrutiny as all other traffic.
"The first [error] that comes to mind is believing your firewall is filtering IPv6," said Michael Hamelin, chief security architect at Tufin Technologies. "Make sure it is and it's not just configured to pass IPv6. Make sure you are watching the current articles about IPv6 security, for example have you already looked into how your firewall can be configured to block type 0 routing headers? Have you adopted a very logical IPv6 addressing scheme…you need to understand when you have an IPv6 and IPv4 address on the same server (dual stacked) that they are the same server when you look at your firewall rules and your IPS logs."
With IPv4, it tends to be somewhat common behavior to block all ICMP messages, explained Bill Cerveny, senior quality assurance engineer at Arbor Networks.
"With IPv6, it is important that ICMPv6 "Packet Too Big" messages be allowed to transit the network," he said. "Since the IPv6 specification requires that intermediate nodes such as routers drop packets that are too large to be transited, it is really important that the source of these large packets receive ICMPv6 ³Packet Too Big² messages. There are many places where ICMPv6 "Packet Too Big" messages can be inadvertently dropped; security devices must be configured to allow these packets through."
IPv6 and IPv4 make insecure bedfellows, said Carl Herberger, vice president of security solutions, Radware.
"There have been no predefined standards in the way to handle the facilitation of the cohabitation of IPv4 with IPv6 so there has been shortage of ‘transition mechanisms’ which have popped up and have been, in most part, widely adopted," he told SecurityWeek. "Once again, these transition mechanisms facilitate the transitioning of the Internet from its initial IPv4 infrastructure to IPv6…Some basic IPv6 transition mechanisms have been defined; however nothing has yet emerged as a proposed uniform standard."
As such, he said, the world is awash with the mechanisms, which are all over the map but are largely defined in categories such as IPv6 over IPv4 (6over4), 6rd and 6to4.
"If you are familiar with network perimeter security devices, one of the things they do well is deep packet inspection and stateful aware analysis," he continued. "However, [one] of the dirty little secrets is that nearly none of today’s technologies have a capability to inspect encrypted traffic such as SSL… or the ability to inspect tunneling protocols such as L2TP, PPTP, etc. What IPv4 and IPv6 transition does is effectively exacerbate these “Achilles heels” in security detection capabilities by introducing a whole new category of nearly undetectable transmissions."
Despite these challenges, Arbor Networks' Iekel-Johnson said he expects to see an uptick in IPv6 adoption after World IPv6 Launch.
"Overall we've seen steady growth in IPv6 traffic rates since IPv6 day last year, almost doubling from around 0.04 percent to 0.08 percent of traffic in our surveys," he said. "With the focus this year for sites to leave their content accessible via IPv6 after IPv6 Launch day itself, we predict another bump in IPv6 adoption and larger growth of IPv6 usage across the board. Though I think we are still some time away from a significant percentage of Internet traffic being IPv6, we have made good progress over the last year and will see continued steady growth in that direction."
Related Reading: Is IPv6 Part of Your Risk Management Framework?
Related Reading: Why Everyone Needs to Care About IPv6